Does anyone have one or would like to buy one so we can put it to the test. Flashy video on the site, good advertising https://www.ironkey.com/

Take a look let me know what you think... I do like the part where the AES, cyrpochip w/self destruct to kill the keys For $149.00 for the 4GB I better be able to run it over with a bull dozer and have still be working!

I've got a free sample of the Ironkey, it is quite nice.Nice tactile feel, solid metal case. The chap I spoke to made some bold claims about it working after being submerged for 24 hours, once dried off but as the internals are epoxy coated, no big suprise.Apparently, youtube has a video of one being run over by a bobcat and working afterwards.It is supported under XP, Vista and MacOS, so saddos like me that stick to Linux and Win2k are out of luck. I have tested in on the wife's laptop and it does what it says on the tin.There is, apparently, a management verison coming out. This should give to sysadmin the opportunity to set the number of times a password can be attempted before the key is fried. I asked if frying could be avoided completely but the salesman didn't seem to know.I also visited Sandisk with the same requirements. The sandisk stick seems to be reasonably good, too.While it is in no way ruggedised like the ironkey it has the benefit (?) of not frying itself. Again, there are two versions, the managed and the unamanaged. Both can be set to block access after 'n' attempts, the managed one will be subsequently recoverable, the unmanaged one will need to be reformatted but is not bricked.The Sandisk is supported under Win2k, XP and Vista.

The Ironkey and the Sandisk both claim FIPS 140-2. Unfortunately, neither are going through the process of CAPS approval (UK Govt.) For the Sandisk, there is a different version for the FIPS which has an epoxy coating over the crypto chip to prevent analysis attacks.

Both are big (physically) compared to their unencrypted counterparts, about the size of a standard disposable lighter.

The only other difference is that the Ironkey is 128 bit AES and the Sandisk is 256 bit AES.

One thing that bothers me about both devices is that you are stuck with using the key material that the crypto chip holds. I would like to see a device that allows the crypto manager to reprogram the key with a key that they have generated. The reason for this is twofold. If, as with the Ironkey, the key is fried, the data can still be retrieved. Second, and this is the paranoid in me, if the crypto is added by the manufacturer, would they not keep a record of the key, therefore enabling them to retrieve data should the key find it's way back to them?

[Edited for poor typing]

Last edited by Bogwitch on Fri Apr 25, 2008 7:10 am, edited 1 time in total.

nice write up and comparison. I agree that user generated crypto keys would be nice, but it is likely just the paranoia that the manufacturer would be interested in checking all returned devices. However, if the key found it's way into mainstream then thats another story.

I'm not sure I like the idea 'bricking' the device after 'x' failed attempts, seen too many users looking themselves out of wind0ze, might keep that feature for techies only.

I'd be slightly wary of any manufacturer claiming a standard that it is not going to try and achieve officially. This could be a huge selling factor in the UK after the recent 'lost' CD screw-ups.....

Anyone checked out MXI Security's devices? Stealth MXP (Biometric) and passport (non biometric) they seem to offer everything the other two do (AES256 built from the ground up like Ironkey, FIPS for over a year, management software, data destruction option) yet im not seeing them being mentioned anywhere were people are looking at secure USB devices.

Have you had a chance to play with one of these? If so, what did you think?

Quick update for the Sandisk, disappointing, the password requirement is 3 of the four character sets, length 6-16 characters. If we assume a charater set consisting of 76 characters, this gives us an entropy of 6.25 bits. 6.25*16 gives us 100 bits. Pretty much makes the 256 bit encryption redundant, doesn't it!

I also got a sample IronKey a few months ago when we were doing some different reviews on secure media solutions.

Personally I think its a good device, I like the way it can store its own secure programs, and also provide a method for surfing in a secure manner with what they call the "Secure Sessions Service".

The most important bit, they look swish too Seriously though, as said, it does what it says on the tin, great for personal and enterprise usage. Like most things in the IT and Security marketplace, everyone is doing everything. So if your accident prown, and often fall over in puddles, the IronKey is the one for you.

The IronKey Enterprise edition has also recently been released. It allows enterprise administrators to recover locked devices, to customize the password strength and self-destruct policies, to manage devices centrally, and to configure which software applications are available on the devices.

One difference between the IronKey AES encryption and that of others like SanDisk is that IronKey uses the correct mode of AES for large block encryption - cipher-block chaining (CBC). SanDisk uses Electronic Code Book (ECB) which is not designed for blocks of data larger than about 32 bytes. Here is a wikipedia entry that discusses the algorithmic differences and has some cool images to show the encryption differences.

Dave_IronKey wrote:One difference between the IronKey AES encryption and that of others like SanDisk is that IronKey uses the correct mode of AES for large block encryption - cipher-block chaining (CBC). SanDisk uses Electronic Code Book (ECB) which is not designed for blocks of data larger than about 32 bytes. Here is a wikipedia entry that discusses the algorithmic differences and has some cool images to show the encryption differences.

Do you have any numbers on the length of time and tools to actually crack that data via the different types of block cipher operations? Does anything actually exists to brute force decrypt anything encrypted on an ironkey or something similar?

If one takes 50 years and the other takes 100 years is there really much of a difference? I understand that computing power grows...blah blah blah.

For the average user how "lasting" is any data that would actually be stuck on a thumb, I guess that should drive anyones choices for encryption, not just USB sticks.